Use SSL Encryption with PostgreSQL on Ubuntu 20.04 - Knowledgebase

Introduction

By default, most installations of PostgreSQL use insecure connections instead of encrypted connections. This guide explains how to use a free Let's Encrypt certificate to secure connections to your PostgreSQL server.

Prerequisites

Before beginning this guide:

Deploy an Ubuntu 20.04 LTS cloud server at Rcs.
Create a fully-qualified domain name (DNS "A" record) that points to your server's IP address.

1. Install PostgreSQL

Install the main PostgreSQL packages.

$ sudo apt install postgresql postgresql-contrib

Set the password for the postgres account.

$ sudo -u postgres psql -c "ALTER USER postgres PASSWORD '<new_password>';"

2. Install Certbot and Certificate

Certbot is the free tool to automatically request Let's Encrypt certificates.

Follow our guide to install Certbot with Snap.

Request a certificate for your server. Replace psql.example.com with the fully-qualified domain name of your server.

$ sudo certbot certonly --standalone -d psql.example.com

3. Create a Certbot Renewal Hook for PostgreSQL

Certbot's certificates are only accessible by root. To allow PostgreSQL to use the certificate, it must create a copy with a Certbot renewal hook.

Look up the PostgreSQL data directory. You'll use this value in the renewal hook file.
```
 $ sudo -u postgres psql -U postgres -c 'SHOW data_directory'
```

Create the renewal hook file.

 $ sudo nano /etc/letsencrypt/renewal-hooks/deploy/postgresql.deploy

Paste the following. Replace psql.example.com with your server's fully-qualified domain name. Replace the value for DATA_DIR with your PostgreSQL data directory.

 #!/bin/bash
 umask 0177
 DOMAIN=psql.example.com
 DATA_DIR=/var/lib/postgresql/12/main
 cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/server.crt
 cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $DATA_DIR/server.key
 chown postgres:postgres $DATA_DIR/server.crt $DATA_DIR/server.key

Save and exit the file.

Give the file executable permissions.

 $ sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/postgresql.deploy

4. Configure PostgreSQL for SSL

Get the path of the PostgreSQL configuration file:

 $ sudo -u postgres psql -U postgres -c 'SHOW config_file'

Edit the file shown by the previous command. For example:
```
 $ sudo nano /etc/postgresql/12/main/postgresql.conf
```

Locate the SSL section and edit your file to match these SSL settings:

 ssl = on  
 ssl_cert_file = 'server.crt'  
 ssl_key_file = 'server.key'  
 ssl_prefer_server_ciphers = on

Locate the Connection Settings section and verify the listen_address is to * for all addresses. Make sure the line is not commented out. For example:
```
 listen_address = '*'
```
Save and exit the file.

5. PostgreSQL Connection Configuration

Get the path of the PostgreSQL configuration file:

 $ sudo -u postgres psql -U postgres -c 'SHOW config_file'

Edit the pg_hba.conf file, which is in the same directory as the configuration file. For example:
```
 $ sudo nano /etc/postgresql/12/main/pg_hba.conf
```
Add the following line to enable secure SSL traffic from the internet.
```
 hostssl all all 0.0.0.0/0 md5
```
Optionally, to also allow insecure connections, add the following line:
```
 host all all 0.0.0.0/0 md5
```
Save and exit the file.

6. Renew the Certificate

Perform a forced renewal, which triggers the Certbot renewal hook to copy the certificates to the correct location for PostgreSQL.
```
 $ sudo certbot renew --force-renewal
```

Look up the PostgreSQL data directory.

 $ sudo -u postgres psql -U postgres -c 'SHOW data_directory'

Verify that Certbot copied the certs to the PostgreSQL data directory. For example:
```
 $ sudo ls /var/lib/postgresql/12/main/server.*
```
Restart PostgreSQL
```
 $ service postgresql restart
```

7. Test the Connection

Connect to the database from another machine with the PostgreSQL client installed. Replace psql.example.com with your server's fully qualified domain name.

$ psql -d "dbname=postgres sslmode=require" -h psql.example.com -U postgres

You should see the PostgreSQL prompt.

Password for user postgres:
psql (12.8 (Ubuntu 12.8-0ubuntu0.20.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

Type BackslashQ to exit the PostgreSQL client.

postgres=# \q

More Information

See the official documentation for more information.

Introduction By default, most installations of PostgreSQL use insecure connections instead of encrypted connections. This guide explains how to use a free Let's Encrypt certificate to secure connections to your PostgreSQL server. Prerequisites Before beginning this guide: Deploy an Ubuntu 20.04 LTS cloud server at Rcs. Create a fully-qualified domain name (DNS "A" record) that points to your server's IP address. 1. Install PostgreSQL Install the main PostgreSQL packages. $ sudo apt install postgresql postgresql-contrib Set the password for the postgres account. $ sudo -u postgres psql -c "ALTER USER postgres PASSWORD '';" 2. Install Certbot and Certificate Certbot is the free tool to automatically request Let's Encrypt certificates. Follow our guide to install Certbot with Snap. Request a certificate for your server. Replace psql.example.com with the fully-qualified domain name of your server. $ sudo certbot certonly --standalone -d psql.example.com 3. Create a Certbot Renewal Hook for PostgreSQL Certbot's certificates are only accessible by root. To allow PostgreSQL to use the certificate, it must create a copy with a Certbot renewal hook. Look up the PostgreSQL data directory. You'll use this value in the renewal hook file. $ sudo -u postgres psql -U postgres -c 'SHOW data_directory' Create the renewal hook file. $ sudo nano /etc/letsencrypt/renewal-hooks/deploy/postgresql.deploy Paste the following. Replace psql.example.com with your server's fully-qualified domain name. Replace the value for DATA_DIR with your PostgreSQL data directory. #!/bin/bash umask 0177 DOMAIN=psql.example.com DATA_DIR=/var/lib/postgresql/12/main cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/server.crt cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $DATA_DIR/server.key chown postgres:postgres $DATA_DIR/server.crt $DATA_DIR/server.key Save and exit the file. Give the file executable permissions. $ sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/postgresql.deploy 4. Configure PostgreSQL for SSL Get the path of the PostgreSQL configuration file: $ sudo -u postgres psql -U postgres -c 'SHOW config_file' Edit the file shown by the previous command. For example: $ sudo nano /etc/postgresql/12/main/postgresql.conf Locate the SSL section and edit your file to match these SSL settings: ssl = on ssl_cert_file = 'server.crt' ssl_key_file = 'server.key' ssl_prefer_server_ciphers = on Locate the Connection Settings section and verify the listen_address is to * for all addresses. Make sure the line is not commented out. For example: listen_address = '*' Save and exit the file. 5. PostgreSQL Connection Configuration Get the path of the PostgreSQL configuration file: $ sudo -u postgres psql -U postgres -c 'SHOW config_file' Edit the pg_hba.conf file, which is in the same directory as the configuration file. For example: $ sudo nano /etc/postgresql/12/main/pg_hba.conf Add the following line to enable secure SSL traffic from the internet. hostssl all all 0.0.0.0/0 md5 Optionally, to also allow insecure connections, add the following line: host all all 0.0.0.0/0 md5 Save and exit the file. 6. Renew the Certificate Perform a forced renewal, which triggers the Certbot renewal hook to copy the certificates to the correct location for PostgreSQL. $ sudo certbot renew --force-renewal Look up the PostgreSQL data directory. $ sudo -u postgres psql -U postgres -c 'SHOW data_directory' Verify that Certbot copied the certs to the PostgreSQL data directory. For example: $ sudo ls /var/lib/postgresql/12/main/server.* Restart PostgreSQL $ service postgresql restart 7. Test the Connection Connect to the database from another machine with the PostgreSQL client installed. Replace psql.example.com with your server's fully qualified domain name. $ psql -d "dbname=postgres sslmode=require" -h psql.example.com -U postgres You should see the PostgreSQL prompt. Password for user postgres: psql (12.8 (Ubuntu 12.8-0ubuntu0.20.04.1)) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type "help" for help. postgres=# Type BACKSLASHQ to exit the PostgreSQL client. postgres=# \q More Information See the official documentation for more information.

Knowledgebase

Categories

Categories

Support

Use SSL Encryption with PostgreSQL on Ubuntu 20.04 Print

Introduction

Prerequisites

1. Install PostgreSQL

2. Install Certbot and Certificate

3. Create a Certbot Renewal Hook for PostgreSQL

4. Configure PostgreSQL for SSL

5. PostgreSQL Connection Configuration

6. Renew the Certificate

7. Test the Connection

More Information

Was this answer helpful?

Related Articles

Support

Knowledgebase

Categories

Categories

Support

Use SSL Encryption with PostgreSQL on Ubuntu 20.04 Print

Introduction

Prerequisites

1. Install PostgreSQL

2. Install Certbot and Certificate

3. Create a Certbot Renewal Hook for PostgreSQL

4. Configure PostgreSQL for SSL

5. PostgreSQL Connection Configuration

6. Renew the Certificate

7. Test the Connection

More Information

Was this answer helpful?

Related Articles

Support

Generate Password